I agree about the introduction of additional parameters and that I need to send the whole query string. But I do not agree that the documentation is very clear. I think it is more confusing than clear. Read this for the first time and you are confused at the very first two sentences:
"Every request or redirect from Shopify to the client server includes a signature and hmac parameters that can be used to ensure that it came from Shopify. The signature attribute is deprecated due to vulnerabilities in how the signature is generated."
I also think the "HMAC Signature Validation" section should explicitly mention that the parameters that are in the example could be less or more between requests or change in the future. And therefore say explicitly that the whole query string needs to be worked with.
Regarding my OAuth process and the registration of users. I am actually registering the users because they will be accessing their Shopify store from a Gmail browser extension and my service (essentially my API) is standing in the middle. That is why I also have a problem with refreshing the Shopify access token whenever the storeowner loads the app in their Shopify Store.
Regarding establishing a session I agree and this very similar to what I have actually done. I just needed to be able to validate the initial callback url and from then on establish a session key which is stored in the database, returned to the user and later used to validate every request.
Anyway if you are curious, my app beta version starts here: www.storakle.com
Thanks for your posts, they have been very useful!